1.为什么侦察是 漏洞挖掘挣钱的关键？

链接： https://twitter.com/osiryszzz/status/1378540350281687044

步骤：

1 – the sqlis were damn easy to identify – discovering the resources affected, not so much. lots of recon (gau, google dorking, spidering, url guessing) on target. discovered a number of web services, however no vulns

SQL注入非常容易识别，发现受影响的资源不容易。大量的侦察(gau,google daring, spidering ， url guessing ) ，发现一些网络服务，但是不会有漏洞。

2 – kept URL guessing and found a zip file containing web.config – several creds leaked – more interesting was the URLs disclosed in there as they point to asmx web services – turns out 90% of these are on sites out of scope

继续进行网址猜测，发现了一个包含web.config的zip文件。有几个信息泄露，包括了指向asmx的网络服务。但是多数不在测试范围内。

3 – the paths of these web services were somehow similar to other folders and couple web services that existed on the main target, so I created several dictionaries to be used in an attack with permutations to see if the site had these endpoints just in different folders

发现web服务的路径在某种程序上与其他的文件夹类似，并存在于主目标的几个web服务上。所以我创建了一个字典用于攻击，看看是否存在不同的文件夹的端点。

4.- dict1 known folders on target. dict2, dict3 both had paths extracted from the urls in web.config, with some permutations based on names similarities I inferred; dict4 endpoints from web.config. ran ffuf cluster-bomb style out of 35k possibilities, found 10+

测试了3个文件夹的，从web.config中的url提取路径，还有一些推断的相似的排列，从35000中可能性中使用ffuf找到了10+以上。

5.- 10+ web services that supposedly were on OOS sites, however available in different locations on target in scope. each web service had many endpoints (some even 30-40). moral of the story, these had more holes than swiss cheese. that’s were all sqlis were

在10个以上的web服务中，有OOS网站，但是不在可接受范围内。每一个web服务有很多的端点，意味着漏洞比较多。

6 – TLDR; would i have reported the web.config finding immediately, other people would have seen the URLs and perhaps locate these web services on the target; i didn’t report it and worked until i found their location and reported as many sqlis as i could.

我立即报告了web.config查找的结果，其他人可能看到了url，并在目标上定位这些web服务。我主要是想找到竟可能多的SQL注入。

7 – my take away and tip for the reader: don’t report a bug as soon as you find it, especially if it shows that it can be used to further own a target. keep the intel for yourself and hack. if after a while it doesn’t lead to anything, report the bug and move on.

给读者的建议，一旦发现了bug，不要马上报告。特别是有可能有收获的时候，把情报留给自己。如果没有进展，过一段时间再报告。

2.I Built a TV That Plays All of Your Private YouTube Videos

链接： https://bugs.xdavidhu.me/google/2021/04/05/i-built-a-tv-that-plays-all-of-your-private-youtube-videos/

3.Breaking GitHub Private Pages for $35k

链接： https://robertchen.cc/blog/2021/04/03/github-pages-xss

4.BugBountyTip

链接： https://twitter.com/intigriti/status/1379044920074375175